Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Image To Data
v2.0.0Extract data from construction images using AI Vision. Analyze site photos, scanned documents, drawings.
⭐ 0· 1.6k·5 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to extract structured data from construction images (OCR, object detection, measurements) which coheres with requiring filesystem and network access (for local images + vision APIs). However, the manifest (requires.env: none) does not declare any API keys even though the instructions explicitly say 'All API keys loaded from environment variables' and mention calling Claude/OpenAI Vision. That omission is an inconsistency: either the skill should enumerate required credentials, or it will attempt to use any available secrets in the environment.
Instruction Scope
SKILL.md and instructions.md direct the agent to read arbitrary image file paths, perform OCR/detection, and call external AI Vision APIs. The docs are vague about which env vars/endpoints to use and do not constrain filesystem paths. The agent is therefore instructed to access local files and make network calls, and could access environment variables broadly because no specific keys are declared.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to be downloaded or executed at install time, which minimizes install-time risk.
Credentials
The skill requires network and filesystem permissions (declared in claw.json) but declares no required environment variables. The instructions nevertheless expect API keys from env vars (e.g., Claude/OpenAI Vision). That mismatch is disproportionate: it is unclear which specific secrets are needed and the skill could try to use any env var present. Network + filesystem access combined with unspecified secret usage increases the risk of accidental or malicious exfiltration.
Persistence & Privilege
always is false and there is no install step that modifies other skills or system-wide configuration. The skill does not request permanent/autonomous elevation beyond normal agent invocation.
What to consider before installing
Before installing, ask the publisher which exact API keys/environment variables are required (e.g., OPENAI_API_KEY, CLAUDE_API_KEY) and why. If you proceed: (1) only provide the minimum-scoped key(s) with restricted permissions; (2) run the skill in a sandboxed agent environment so it cannot read unrelated filesystem paths; (3) monitor outbound network requests (to confirm calls go only to expected Vision API endpoints); (4) prefer a version that explicitly lists required env vars in the manifest; and (5) if you cannot verify the required keys/endpoints, avoid giving it any global or high-privilege secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk97f629h9krbms43jb852mpn8h812wcn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.